Registry Platform

Appearance

Authentication

All registry services are protected by Authelia — the central SSO system at auth.hochguertel.work.

Authentication Methods

Web UI Access

All web interfaces (Verdaccio, Docker UI, Reposilite, DevPI) are protected by Authelia's ForwardAuth middleware. When you access any registry UI:

  1. Traefik intercepts the request
  2. Authelia checks if you have a valid session
  3. If not authenticated, you're redirected to the Authelia login page
  4. After login, you're redirected back to the registry UI

CLI Authentication

Each registry has its own CLI authentication method:

RegistryAuth MethodCommand
npmOIDC (browser)npm login --registry https://npm.registry.hochguertel.work
DockerToken authpodman login docker.registry.hochguertel.work
MavenToken/PasswordConfigured in settings.xml
PyPIPassworddevpi login root --password <pass>

npm (OIDC)

Verdaccio uses OpenID Connect with Authelia. When you run npm login, it opens your browser for authentication:

bash
npm login --registry https://npm.registry.hochguertel.work
# Browser opens → Authelia login → redirect back → token stored

Docker (Token Auth)

The Docker registry uses a custom token server that validates credentials against Authelia's user database:

bash
podman login docker.registry.hochguertel.work
# Enter Authelia username and password

Maven (Reposilite Tokens)

Reposilite has its own access token system. Generate a token via the web UI:

  1. Login to maven.registry.hochguertel.work
  2. Go to Settings → Access Tokens
  3. Generate a new token
  4. Add token to ~/.m2/settings.xml

PyPI (DevPI Client)

bash
pip install devpi-client
devpi use https://pypi.registry.hochguertel.work
devpi login root --password <admin-password>

User Management

Users are managed centrally in Authelia at /opt/services/authelia/users_database.yml.

To add a new user:

bash
cd /opt/services/authelia
# Generate password hash
podman exec authelia authelia crypto hash generate argon2 --password 'newpassword'

# Add user to users_database.yml
# Restart Authelia to apply
podman compose restart authelia

Troubleshooting

302 Redirect Loop

If you get redirect loops, check:

  • Authelia cookie domain matches hochguertel.work
  • The service domain ends with .hochguertel.work
  • Authelia access control rules allow the domain

401 Unauthorized (CLI)

  • Verify credentials are correct
  • Check if the user exists in Authelia's user database
  • For Docker: Ensure token server is running (task health)

hochguertel.work Registry Platform